Examples of security behaviour change challenges in security management,

Security Behaviour Change Challenges Across Different Domains

1. Security Management:

Challenge: Aligning security practices with organizational culture.
Details: Security management often faces resistance from employees who view security protocols as intrusive or disruptive. Managing this resistance involves not just implementing policies but also addressing the underlying attitudes and perceptions towards security. For instance, if employees feel that security measures hinder their productivity, they may bypass them, leading to non-compliance.
Reference: Hwang, I., Kim, D., Kim, T., & Kim, S. (2017). “Why not comply with information security? An empirical approach for the causes of non-compliance.” Online Information Review, 41(1), 2–18.

2. Software Development:

Challenge: Integrating security features without compromising usability.
Details: Developers often struggle to balance security with user experience. Security features that are too complex or intrusive can lead to user frustration and eventual bypassing of security measures. This challenge is compounded by the need to continually adapt to new threats while maintaining functionality.
Reference: Hwang et al. (2017) discuss how inadequate security measures or overly complex implementations can lead to non-compliance or security breaches.

3. Auditing and Compliance:

Challenge: Ensuring accurate and comprehensive compliance audits.
Details: Auditors face difficulties in ensuring that all aspects of security policies are being followed. Non-compliance can occur due to incomplete audits, misunderstanding of compliance requirements, or failure to address the root causes of non-compliance. The auditing process itself must be rigorous and adaptable to changes in regulations and technology.
Reference: The paper by Hwang et al. (2017) highlights various issues in compliance and auditing processes, such as inconsistent enforcement and inadequate follow-up.

4. National Policy:

Challenge: Implementing uniform security policies across diverse sectors.
Details: National policies must cater to a wide range of industries with varying security needs and capacities. A one-size-fits-all approach may not be effective, leading to gaps in compliance and enforcement. Additionally, national policies need to be adaptable to the rapidly changing cybersecurity landscape and technological advancements.
Reference: The paper discusses systemic issues related to non-compliance which can be extrapolated to national policy challenges, such as the difficulty of enforcing uniform standards across different sectors.

Key Points from the Paper:

Non-Compliance Causes: Hwang et al. (2017) identify factors such as lack of awareness, inadequate training, and perceived inconvenience as causes of non-compliance.
Wicked Problems: Many of these issues align with characteristics of wicked problems, where solutions are complex, context-dependent, and resistant to straightforward fixes.

Book Reference for Further Reading:

Book:“Wicked Problems: Problems Worth Solving” by Jon Kolko.
- Summary: This book provides insights into understanding and addressing wicked problems, including those in cybersecurity. It offers frameworks for tackling complex issues where traditional problem-solving methods fall short.

By recognizing the complexity of non-compliance issues and applying strategies to address wicked problems, organizations can develop more effective security behavior change interventions and policies.